pfSense behind ATT Gateway

  • How to properly configure pfSense behind ATT gateway/router...?

    I believe I have to check (wasn't able to get it working otherwise) allow DNS servers to be overridden on the WAN in order to get ATT gateway public IP assigned to pfSense WAN, but this then adds ATT's DNS servers. (Performing a DNS test using dnsleaktest returns only ATT DNS servers.) How can I use pfSense behind ATT'a appliance, but only use DNS resolver and Quad9 (or any DNS provider besides ATT for that matter)?

    I have unchecked DNSSEC, harden DNSSEC as I assume these will not work with ATT's DNS servers, but I would like to use DNSSEC and DNS over TLS/https after getting a basic quad9 setup to work, just so it's a little more clear why I'm trying to do this.

    Also, any knowledge/experience using as your domain? The RFC states it as '', but this does not work. What does the extra dot at the end signify?

    Configuration Guide:
    user: pfsense
    pass: admin
    Setup Wizard
    General Information
    Hostname pfSense
    Primary DNS Server
    Secondary DNS Server
    Override DNS [x]
    Time Server Information
    Time server hostname
    Timezone: [America/Chicago]
    Configure WAN Interface
    SelectedType [DHCP]
    RFC1918 Networks
    Block RFC1918 Private Networks [ ]
    Block bogon networks
    Block bogon networks [x]
    Configure LAN Interface
    LAN IP Address
    Subnet Mask [24]

    System > Advanced > Networking
    IPv6 Options
    Allow IPv6 [ ]
    Prefer IPv4 over IPv6 [x]
    IPv6 DNS entry [x]

    Settings > Firewall > Applications, Pinholes and DMZ
    Allow device application traffic to pass through firewall
    Select a computer pfsense
    (.) Allow all applications (DMZplus mode)
    #Enter device access code
    Settings > Firewall > Advanced Configuration
    Block Ping [ ]
    Strict UDP Session Control [ ]

    Services > DNS Resolver
    DNS Resolver Configuration
    Enable [x]
    Listen Port 53
    DNSSEC [x]
    DNS Query Forwarding [ ]
    Enable Forwarding Mode [ ]
    Services > DNS Resolver > Advanced Options
    Advanced Resolver Options
    Serve Expired [x]
    Number of Hosts to Cache 20000
    Unwanted Reply Threshold 10000000
    [Apply Changes]

    Thank you!

  • I have not tried this with pfSense yet but have with a D-Link router. If the AT&T router has a passthrough mode you can try that, and the pfSense should get a public IP. As I seem to recall I ran into sporadic problems with that after a firmware update to the D-Link router, and ended up using the DMZ mode of the AT&T router to send traffic to the D-Link, so that could be another option. Then the WAN would end up being on the AT&T router's private subnet.

  • Ok, yeah when I had do not override dns from the WAN unchecked pfsense was given an internal IP from ATT, and able to access the internet. Any problems with it being an internal IP. Double NATing issues, openvpn...?

  • People talk about double NAT being a problem but honestly I've never seen it. We've been running our office and my home that way for years, as well as a few clients where the ISP couldn't/wouldn't turn on bridging. We are using 1:1 NAT in our office and a DMZ setting on other ISP routers that aren't bridged (which forwards all ports to the DMZ IP). In Interfaces/WAN you can uncheck "Block private networks and loopback addresses" to be able to connect to the AT&T router.

  • LAYER 8 Global Moderator

    @teamits said in pfSense behind ATT Gateway:

    People talk about double NAT being a problem but honestly I've never seen it.

    It can be problematic depending on what protocols your using.. Agree most normal use wouldn't have a problem.. But there are many protocols that could have issues with it for sure.

    Depending on how many users you have, and if they have applications that require specific ports, you could have problems doing that sort of thing as well, etc.

    its also not as efficient, and anything that is doing nat will cause a hit.. Be it you actually notice it or not is another thing.. The answer here is you should avoid it if you can.. But unless your doing something specific, most likely everything will work.

  • Would setting up Quad9 DNS on a VLAN (and then just using the VLAN for everything), while leaving LAN to have DNS overridden and WAN IP assigned by ATT help? Like have the resolver not respond on the LAN interface, set ATT DNS IP in system > general setup... This means I wouldn't be able to turn on forwarder though (as it then looks at the system > general setup DNS servers)? I could also pass Quad9 via DHCP, but I would like to take advantage of the resolver caching.

  • @MilesMorales I don't understand the comments about DNS override settings since that shouldn't affect what address the WAN interface gets. Is your WAN set to DHCP? If you use the DMZ feature of the AT&T router you can give your pfSense a static IP and use whatever DNS servers you want in System/General.

    @johnpoz said in pfSense behind ATT Gateway:

    applications that require specific ports

    We don't enable uPnP as a rule, and just set up port forwarding on the pfSense as normal. In our office we have several hundred client PCs checking in, have email/Exchange, master DNS, remote connections, etc. I'm not saying you're wrong just never run into an issue. :) My guess is it's mostly a problem if people don't set up the pfSense to be in the ISP router DMZ and don't forward ports in the ISP router. As I noted ISP router passthrough mode may be easier if it works so the pfSense gets a public IP. I've just had mixed results with that on AT&T DSL/Uverse.

  • LAYER 8 Global Moderator

    @teamits said in pfSense behind ATT Gateway:

    'm not saying you're wrong just never run into an issue

    And do you run a passive ftp server behind your double nat.. Do you have clients that trying to do active ftp to some server on the public internet? Where on of the natting routers doesn't have APM to allow for the for data ports? Do you run any software that requires static ports.. Say ISAKMP?

    The are plenty of scenarios where it could be problematic..

    Even when you put pfsense into the DMZ setting of the upstream router - doesn't matter if there is issues with the double nat. Just because you have not run into a specific issue with your stuff, doesn't mean it can't be an issue.

    You sure shouldn't choose to be behind a double nat if you don't have to..

    The problem quite often isn't that whatever couldn't be done with a double nat, its that you don't have access to do what you need to do on the upstream isp router that is natting.. Where if you could remove that nat, you would only have only 1 nat to deal with that you control..

  • @teamits it is set the DHCP. And yeah I don't understand either.. So I did a clean install on pfSense. Set Quad9 DNS servers and did not allow DNS override. This assigned an internal IP to my WAN. I was expecting my public IP to be set on the WAN so to troubleshoot I allowed DNS to be overridden and restarted pfSense. After that pfSense WAN had my public IP address and ATT DNS servers appeared, in addition to Quad9, in my System > Setup.

    As an aside, this broke my internet connection, I assume because DNSSEC was enabled, along with it's companion options.. Still trying to figure out as to why, and if there is just a way to go around ATT (at least for the most part), like setting up a VLAN... One reason I am trying to do this is because later I will try and setup PIA openVPN connection, and based on my experience with that, I will need ATT's DNS servers in some capacity to resolve their hostnames when PIA's IP address changes as I will not be able to use the openVPN gateway to resolve it since it will be down.. This means pfSense DNS resolver will need to use ATT's (or hopefully Quad9's) DNS servers occasionally to resolve PIA's hostname.

    Back to your question, I configured ATT gateway/router to put pfSense in DMZplus mode. This is the only option, as far as I can tell. There is no bridge option. There is no option to give it a static IP specifically, but I do see an option in the "LAN IP Address Allocation" page to give it "Public (select WAN IP Mapping)." I will try this and see if it doesn't automatically set to private when not allowing DNS to be overridden.

    Also, one thing I'm not sure about is if ATT is hijacking blocking DNS queries to other providers and if this might be the cause of some of my issues..

    Anyway, thank you, I will try this and then post back here.

  • @teamits this worked :) Setting "LAN IP Address Allocation" to "Public (select WAN IP Mapping)" on ATT gateway, reinstalling pfsense, and unchecking DNS override.

    Also, I then went to dnsleaktest, but an ATT DNS server was returned.. I checked DNS Resolver forwarding mode and then it returned Quad9 (WoodyNet ISP) servers. Not sure if the ATT DNS server was a root NS or if the queries were being redirected by ATT gateway or what... Perhaps I could fix this by setting my WAN as Gateway under System > General Setup > DNS Server Settings (instead of none)...

    I'm also considering whether it might be better based on Qunn's comment in this discussion if I should just use the resolver without Quad9 (and just forward to root nameservers).

    TLS configuration is working. DNSSEC is working though I am reviewing whether to leave it checked or not based on this discussion. Looking into "Enable SSL/TLS Service" for local DNS over TLS just as an extra for internal network encryption... Firewall rule(s) to ensure no DNS leaks...

  • Here is my guide thus far, for anyone it might help...


Log in to reply